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(54) Secure data processing method and system 

(57) A secure data processing system comprises a 
central processor unit (11), memory (12) and a security 
circuit (15) in the form of an application specific integrat- 
ed circuit. The security circuit has a cryptographic en- 
gine (19) and a cryptographic key store (18). 

The cryptographic engine operates on the contents 
of the cryptographic key store to generate a digital sig- 
nature. Means are provided to generate a digital signa- 



ture from a software or hardware component to be 
checked for authenticity and to compare the digital sig- 
nature from the component with the generated digital 
signature. An indication of the authenticity of the com- 
ponent is generated as a result of the comparison. The 
components of the system that can be checked include 
the boot firmware ( 1 6) for the system, the operating sys- 
tem and plug-in cards (13) for the system. 
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Description 

The present invention concerns a secure data processing method and system and is of particular application to a 
financial terminal. 

In a data processing system it is usual to provide a programmable central processor unit, memory and other 
software and hardware components. It is desirable to provide a software and hardware environment where the user 
or operator of the system can trust all of the software and hardware components of the system. To achieve this objective 
some means has to be provided to decide whether the components of the system have been compromised either at 
initial installation of the components or at a later stage when new or upgraded components are introduced to the system. 

For a data processing system including a programmable central processor unit it is important to authenticate the 
operating system of the central processor unit. If plug-in cards are used to provide upgrades to the functionality of the 
system it is also important to authenticate these plug-in cards. The means to authenticate the components of the data 
processing system must be such as to provide security for the authentication process itself if the authentication process 
is to be reliable in detecting any compromise of the components of the system. 

It is therefore an object of the present invention to provide an effective method and system for testing one or more 
components of a data processing system in order to determine the authenticity of the tested component or components. 

According to the present invention there is provided a method of determining the authenticity of one or more system 
components of a data processing system which also includes a programmable central processor unit, memory, a se- 
curity circuit having a cryptographic engine, and a cryptographic key store, the method comprising the steps of entering 
one or more keys into the cryptographic key store, operating on the contents of the cryptographic key store by means 
of the cryptographic engine to generate a digital signature referenced to a component of the system to be authenticated, 
generating a digital signature from the component to be authenticated, and providing an indication of authenticity by 
comparing the digital signature generated by the cryptographic engine with that generated from the component to be 
authenticated. 

Further according to the present invention there is provided a data processing system including one or more com- 
ponents to be checked for authenticity, a programmable central processing unit, memory and a security circuit having 
a cryptographic engine and a cryptographic key store for storing one or more cryptographic keys, the cryptographic 
engine being adapted to operate on the contents of the cryptographic key store to generate a digital signature refer- 
enced to a component of the system to be checked for authenticity, and means being provided to generate a digital 
signature from the component to be checked for authenticity and to provide an indication of authenticity by comparing 
the digital signature generated by the cryptographic engine with that generated from the component to be authenticated. 

The invention will now be described, by way of example, with reference to the accompanying drawings in which: 

Figure 1 shows a block diagram of a data processing system according to the present invention, 

Figure 2 shows detail of a security circuit included in the system of Figure 1, 

Figure 3 shows a flow diagram of the operation of the system of Figures 1 and 2, and 

Figure 4 shows a flow diagram relating to the update of cryptographic keys used in the system of Figures 1 and 2. 

Referring first to Figure 1, there is shown a data processing system 10 which may be an automatic teller system 
or a personal computer system. The system 10 has a central processor unit 11. a memory 12. provision for additional 
plug-in cards 13. permanent storage 14, a security circuit 15 in the form of an application specific integrated circuit 
(ASIC) and boot firmware 16. The components of the data processing system 10 are linked by means of a processor 
data bus 17 in conventional manner well understood by those skilled in the art. In addition the system runs under an 
operating system (OS) in a manner well understood in the art. 

The security circuit 15 is shown in greater detail in Figure 2. Referring now to Figure 2, the circuit 15 includes a 
cryptographic key and password store 18. a cryptographic engine 19. a store 20 for a digital signature, control and 
interlace firmware 21 and an I/O bus 22 communicating with the system bus 1 7. The cryptographic engine 1 9 supports 
both symmetric and asymmetric algorithms. The control and interfacing firmware 21 is designed to perform the initial 
start-up of the data processing system. 

Means (not shown) are provided to allow the operator of the system to input keys and passwords into the security 
circuit 15 All the keys stored in the storage 18 are password protected, with the password defined (and changeable) 
by input from the user of the system. A key can therefore only be altered if the conesponding password is known and 
entered by the user. 

The keys in the store 18 are present to allow system components including firmware components and software 
components to be authenticated. The components to be authenticated in the system of Figure 1 include the operating 
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system (OS), the firmware on the plug-in cards 1 3, and the boot firmware 16. The invention may be applied to a system 
which has either more or fewer system components to be authenticated than the system depicted in Figure 1. For 
example a simpler system may not provide for the plug-in cards 13 and in this case provision may not be required to 
authenticate such cards. 

5 Each of the components of the system which are to be authenticated includes a digital signature which is embedded 

in the firmware of the component The digital signature is embedded at a predefined location and is created by the 
supplier of.the component as part of the manufacturing process. The algorithm for generating the digital signature uses 
an asymmetric key pair, with the vendor supplier keeping the private key securely and distributing the public key with 
the component to be authenticated. The public key is entered into the circuit 1 5 when the component is installed into 

10 the data processing system 1 0. 

The creator of each of the cryptographic keys entered into the circuit 1 5 will depend on the source of the component 
to which the keys relate. The keys may be symmetric or asymmetric and validate the respective components of the 
system according to the cryptographic process determined within the security circuit 15. The authentication process 
is tamper proof by reason of the fact that the process is contained within the security ASIC 15 and it is not feasible to 

is alter the contents of this ASIC. The security system can not be disabled. 
A number of keys are pre-defined as shown in the following Table 1 : 
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TABLE 1 



Key Name 
Boot 



Type 

Asymmetric 



Use 

Creator 
Validation of 
boot firmware 
by ASIC 15 



ASIC 
The creator 
of boot 
firmware 

Validation of The creator 
firmware of of the card 
cards (1-x) firmware for 
cards (1-x) 
Validation of 
operating 
system boot 
Automatically 
generated by 
the ASIC (15) 

The process of starting up the data processing system of Figures 1 and 2 is shown in the flow diagram of Figure 
3. Referring now to Figure 3, the power on step 23 is followed by processor start-up step 24 and the execution at step 

*s 25 of the initial code of the ASIC 1 5. A decision is taken at step 26 whether the boot key has been loaded and validation 
of the boot PROM 16 takes place in step 27 either directly or via step 28 if the boot key has to be entered. The process 
of validation in step 27 comprises the generation within the ASIC 15 of the expected digital signature using the 'boot 1 
key. The generated digital signature is then compared to the actual digital signature from the boot PROM 16 and an 
indication is generated in step 29 whether the boot PROM is valid. If not valid, the process in Figure 3 is stopped. 

so if the boot PROM 16 is validated, the process continues through the step 30 to execute the boot PROM and then 

begins in step 31 to operate on each of the plug-in cards 13. In the flow diagram of Figure 3, each card x (where x is 
the number of each card taken in turn) is checked by determining in step 32 if the corresponding card key has been 
entered in the ASIC 15 and validation proceeds in step 33 either directly if the key has been entered, or via the step 
34 if the key has still to be entered. Validation of each plug-in card 1 3 is achieved by comparison of the digital signature 

55 generated for that card by the cryptographic engine 19 with the digital signature embedded in the card using the ap- 
propriate 'card x 1 key (where x is the number of each card taken in turn. An indication is generated in step 35 whether 
the card is valid. If the card is valid, the card initial code is executed in step 36. 

If there are succeeding cards to be validated, this is determined in step 37 and the validation of all the cards 
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continues until all have been validated. Following validation ot the cards, the boo. record .s validated m step 38 and 
an indication provided in step 39 il the boot record is valid. The process of validation .n step 38 ,s performed by gen- 
erating a digital signature for the operating system boot using the 'OS' key and compar.ngth.s aga.nst the digital 
signature stored in the digital signature store 20. If the boot record is valid, the boot record code is executed in step 

40 and the system is running. euel „ 
Referring now to Figure 4, the method of updating the keys will be described, to commence an operating system 
or card key update, from step 41 . a check is made whether the terminal is running in step 42. If not running, the system 
is powered up in step 43 and a check made in step 44 whether the system has failed. If yes, an update function key 
is pressed, a password lor the selected key is entered and the new key is entered to arrive at the step 45 where the 
system starts normally. 

If at step 44 the terminal has not failed, the key update program is run in step 46 and the operator of the system 
selects which key to update in step 47. The password for the selected key is entered at step 48 , the new key ,s entered 
at step 49 and the system is powered down in step 50. The system component (either a card 1 3 or the BIOS) is replaced 
at step 51 and the terminal powered up again at step 52. 

If there is a boot record failure as shown in step 53. an update function key is pressed at step 54 and the password 
for the operating system signature is entered at step 55. This results in the operating system digital signature being 
re-qenerated. The operating system operates normally at step 56. 

Once the operating system is started, the security is the responsibility of the operating system software. The se- 
curity ASIC 1 5 can then provide validation of digitally signed software. 

It will be apparent that the system described allows a trusted start up sequence that is requ.red for successfuHy 
providing a complete secure system. It is envisaged that the keys could be stored in storage outside the security ASIC 
15. For example they could be encrypted under a master key which is held within the security ASIC 15 which would 
make it impossible to alter or replace the keys. 



Claims 



1 A method of determining the authenticity of one or more system components of a data processing system which 
also includes a programmable central processor unrt. memory, a security circuit having a cryptographs engine, 
and a cryptographic key store, characterized by the steps of entering one or more keys into the cryptographs key 
store, operating on the contents of the cryptographic key store by means of the cryptographic engine to generate 
a digital signature referenced to a component of the system to be authenticated, generating a d.gital signature 
from the component to be authenticated, and providing an indication of authenticity by comparing the digital sig- 
nature generated by the cryptographic engine with that generated from the component to be authenticated. 

2 A method as claimed in claim 1 , including the further steps of updating a key in the cryptographic key store by 
selecting a key to be updated, entering a password for the selected key and entering the updated key. 

3 A data processing system (10) including one or more components (1 3.16) to be checked for authenticity, a pro- 
grammable central processing unit. (11) and a memory (12). characterized by a security circuit (1 5) having a cryp- 
tographic engine (19) and a cryptographic key store (18) for storing one or more cryptographs keys, the crypto- 
graphic engine being adapted to operate on the contents of the cryptographic key store to generate a digital sig- 
nature referenced to a component to be checked for authenticity, and means being provided to generate a digital 
signature from the component to be checked for authenticity and to provide an indication of authent.c.ty by com- 
paring the digital signature generated by the cryptographic engine with that generated from the component to be 
authenticated. 

4. A system as claimed in claim 3, wherein a component to be checked for authenticity comprises boot firmware (16) 
tor the system. 

5. A system as claimed in claim 3 or 4, wherein a component to be checked for authenticity comprises an operating 
system. 

6. A system as claimed in claim 3, 4 or 5. wherein a component to be checked for authenticity comprises a plug-in 
card (13). 

7. A system as claimed in claim 3, 4, 5 or 6, wherein the security circuit (15) has means (18) for storing passwords 
to control the entry of cryptographic keys into the cryptographic key store. 
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8. A system as claimed in any one of claims 3 to 7, wherein the security circuit (18) comprises an integrated circuit. 

s 
w 

15 
20 
25 
30 
35 
40 
45 
50 



5 



EP 0 849 657 A1 



FIG. 1 



.10 



L 



12 



MEMORY 



11 



1 



PROCESSOR 



,5 




SECURITY 




BOOT 


ASIC 




FIRMWARE 



PROCESSOR DATA BUS 



-17 



CARD 
SLOTS 1-x 



10 



7 



PERMANENT 
STORAGE 



7J 



FIG. 2 



ASIC PACKAGE 



CRYPTOGRAPHIC 
KEY AND 
PASSWORD STORAGE 



—18 



CRYPTOGRAPHIC 
ENGINE 



19 



7 



L 



20 



DIGITAL 
SIGNATURE STORAGE 



ASIC CONTROL AND 
INTERFACE FIRMWARE 



—21 



ASIC I/O 



22 



EP 0 849 657 A1 



POWER ON 



—23 



PROCESSOR STARTUP 



— 24 



EXECUTE ASIC 
INITIAL CODE 



— 25 




1 



28 



WAIT FOR 

BOOT 
KEY ENTRY 



VALIDATE PC BOOT PROM \— 27 










STOP| 



EXECUTE BOOT PROM _3q 



FOR EACH 
PLUG-INCARD(X) 



—31 




L 



34 



WAIT FOR 
CARDX 
KEY ENTRY 



FIG, 3 



VALIDATE 
CARDX PROM 



—33 










STOP 



EXECUTE CARDX 
INITIAL CODE 



—36 



YES / ANOTHER 




VALIDATE 
BOOT RECORD 



—38 










STOP 



EXECUTE BOOT 
RECORD CODE 



— 40 



SYSTEM 
RUNNING 



7 



EP 0 849 657 A1 



FIG. 4 



/ 



41 BIOS OR CARD 
KEY UPDATE 




IS vco 

TERMINAL RUNNING - 

9 



43— powER -UP TERMINAL 




PRESS UPDATE FUNCTION KEY 



ENTER PASSWORD FOR 
SELECTED SIGNATURE KEY 



ENTER NEW SIGNATURE KEY 



RUN KEY UPDATE PROGRAM — 46 



SELECT KEY TO UPDATE 
I 



— 47 



ENTER PASSWORD FOR 
SELECTED SIGNATURE KEY 

r 



— 48 



ENTER NEW SIGNATURE KEY 



— 49 



POWER OFF TERMINAL 



— 50 



REPLACE CARD OR BIOS — 51 



POWER -UP TERMINAL} — 52 



TERMINAL STARTS NORMALLY | — 45 



BOOT RECORD FAILURE 



— 53 



PRESS UPDATE FUNCTION KEY —54 



ENTER PASSWORD FOR OS SIGN ATURE 
1 



— 55 



OPERATING SYSTEM STARTS NORMALLY 



— 56 



8 



EP 0 849 657 A1 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 97 30 9454 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document with indication, where appropriate. 
of relevant passages 



Relevant 
to claim 



CLASSIFICATION Of THE 
APPLICATION (1nt.CI.fJ) 



US 5 473 692 A (DAVIS DEREK L) 
abstract; figures 5.6 * 

* column 2, line 58 - column 3, line 31 + 

* column 7. line 23 - column 8, line 22 * 

US 5 343 527 A (MOORE JAMES W) 

* the whole document * 

US 5 224 160 A (PAULINI WERNER ET AL) 

* abstract; figures 3,6 * 

* column 2, line 1 - column 3, line 32 * 

KRUSE 0: "GUARDING THE OPERATING SYSTEM- 
SIEMENS MAGAZINE OF COMPUTERS & 
COMMUNICATIONS, (COM), 
vol. 14 , no. 5, September 1986 f 
pages 14-16, XP000611029 

EP 0 707 270 A (IBM) 



1,3-6,8 



1,3-6,8 



G06F1/00 
G06F12/14 



4.5 



2.7 



TECHNICAL FIELDS 
SEARCHED (InLCU) 



G06F 



The present search report has been drawn up for all claims 



PUetoi Match 

THE HAGUE 



On* o4 comcrtnonel m» Much 

26 March 1998 



txmwm 

Powell, D 



CATEGORY Of CITED DOCUMENTS 

X partcufarty retevtrt tf taken aione 

Y particularly relevant if combined wtfh another 

documant of the um category 
A tacftnotoojesi backgrouno 

O 

p- 



T theory or prince* u n def Vwj fh* «w*on 
E darter patent document but pubfahed on. or 

after the fling date 
D document cded in the appticaiion 
I oocumecitcaad lor ottier reason* 

& member ol &w same patent fanrty. caoa^ponAno. 
document 



9 



